Sender: |
|
X-To: |
|
Date: |
Fri, 5 Nov 2010 10:09:38 -0500 |
Reply-To: |
|
Content-Transfer-Encoding: |
7bit |
Subject: |
|
From: |
|
Content-Type: |
text/plain; charset=ISO-8859-1; format=flowed |
In-Reply-To: |
|
Organization: |
University of Minnesota |
MIME-Version: |
1.0 |
Parts/Attachments: |
|
|
The new certificate has been installed.
I wrote:
> Attention web admins using CAH:
>
> The SSL certificate for x500.umn.edu (the validation service for CAH
> cookies) will be expiring shortly. We will be using the new InCommon CA
> to issue the new cert, which means the certificate will reference a
> different root CA than before.
>
> If your implementation of CAH checks the validity of the SSL
> certificates, you might want to ensure that the new root CA is trusted
> by the code that is performing the SSL connection.
>
> The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate
> the SSL certificates, and will NOT be affected by this change.
>
> Unless you specifically had to import the Thawte root cert and trust it
> in the past, then probably either (1) your software is not doing cert
> validation or (2) you already have the new root CA trusted. The latter
> is probably true of installations with a centralized system certificate
> store (e.g. Windows/IIS/.NET).
>
> If you do need to import the new root CA, I've included it below my
> signature. If you don't trust email, you can also export it from any
> recent browser (the certificate name is "AddTrust External CA Root",
> issued 05/30/2000).
>
> If you have a test instance of your server, you can try pointing your
> validation code at x500-test.umn.edu (instead of x500.umn.edu), on the
> usual port 87. It is already set up and configured with a certificate
> issued from the new CA. However, it references the test X.500 directory
> which is not fully populated, so send me email (privately) if you would
> like to have your production directory entry cloned over to the test
> directory temporarily.
>
> The production certificate expires on Saturday afternoon. In an attempt
> to allow folks to catch problems before the weekend, I'm planning to
> install the certificate on Friday at 10am. I apologize for the late
> notice; as most of our SSL certificates are browser-facing, the
> supported browsers all have the new root CAs so no action is necessary.
> But for a few things (such as this service), there is non-browser code
> making the connection so we can't make the same assumptions.
>
--
%% Christopher A. Bongaarts %% [log in to unmask] %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
|
|
|